Affordable Business Continuity Planning (BCP) for Small Businesses

A Business Continuity Plan (BCP) is defined as a roadmap to enable a business to continue operations under adverse conditions, such as an unforeseen disaster or other interruption (bad weather, flooding, power outages, labor strikes, or any other identified risk to the business). Business continuity planning is a process of identifying the potential risks to your business and then evaluating how to prepare for these so that if they do happen, your business can continue to be viable. This is not the same thing as IT disaster recovery. IT disaster recovery involves making sure your IT systems can continue to function and your data is still available in the event that your primary systems go down; if a fire wipes out your server room for example or a massive blackout disables your primary network routers. Typically your IT service provider will provide you with options for backup hosting at other sites as part of Disaster Recovery Planning (DRP).

DRP is part of BCP, but BCP goes beyond just IT systems and looks at the entire business structure; in the event of a disaster where will your people work from? If downed trees and power lines cut off major roadways needed for distributing your product what will you do? If a swine flu outbreak keeps 3/4 of your staff at home can your business still function? This is what BCP looks at; being prepared for the unplanned interruptions. Making advanced preparations just in case of disaster is good business, but it does involve some cost, so the level of preparation needs to be evaluated against the potential risk. This is what an effective BCP plan will evaluate. The plan will look at each critical operation and identify the level of risk and the options for maintaining business in the event of a disaster. Based on this evaluation (typically know as a Business Impact Analysis or BIA), an effective and realistic BCP can be created which will effectively help the business to survive and operate during an unforeseen interruption or disaster. The critical elements of the plan must include not just the IT systems but also personnel/employees, communications, production, distribution and (very important) communications with customers, vendors, media, local authorities and governmental regulators. If you do not pay your taxes or your bank loans because your records are under water, you may not be in business after the water level goes down.

Big businesses have readily adopted this strategy and brought in consulting firms and purchased enterprise software to set up and manage BCPs. This has created the biggest opportunity for disaster-planning consultants since Y2K. The down side is that the price tag for having a firm set up and manage a BCP can go into the $100,000’s. For small businesses, this is too cost prohibitive but BCP is still critical and this should not deter small businesses from seriously thinking about what they would do in the event of a disaster.

Rather than paying out big$$$ for a team of consultants or licensing enterprise software, small businesses can benefit from following the same logical thinking that the consultants use. BCP firms typically come into a client with a standard set of templates (a basic generic roadmap for the BCP) which identifies all the potential risks and key operations in a business (paying vendors, manufacturing, customer service, regulatory filings, etc). The consultants then interview key individuals in each area and ask them how important each operation they perform is (how long can the business survive with out it?). Then they ask these same people what the options are to keep this operation going if a disaster happens (can you outsource it? To whom? Can you buy extra supplies and keep them somewhere else?). Then with this information, the consultants modify the standard templates as needed to suit the situation. The final modified templates are presented as a customized BCP plan to the business management, who ultimately makes the decisions on what they will support in terms of what steps will be put into place and how much money will be spent. The bulk of the specific actionable information in the BCP comes from the business, not the consultants. The BCP templates provide a guide to prompt the appropriate discussions and ask the right questions. So armed with a basic BCP template, a small business owner can perform this same procedure and come up with an effective BCP on their own or with the help of conscientious person (not necessarily a BCP consultant). Although the process of setting up and managing a BCP seems very complicated and/or prohibitively expensive for small businesses, it does not need to be. There are materials and resources available that would greatly help out the small businesses to be prepared for the unforeseen without the need to spend large sums of money.

The Value Of Information, Risk Management & Business Continuity – A Logical And Structured Approach

VALUE of INFORMATION

To ensure continuity (going concern) we make use of many resources. The unavailability or impairment of some resources will threaten continuity and affect our chances of success and sometimes our chances of survival. One of these important/critical resources is information.

We can consider the ‘intrinsic” value of information as the cost of acquiring, the means for storing, structuring, maintaining and delivering the information (computer systems).

The “consequential” value of computerized information is the potential loss (revenue, ability to service) if the information was destroyed/corrupted or could not be delivered on time.

We can buy insurance to cover the loss or inability to deliver/process information. However, that does not replace the loss.

So, where do we go from here? We need to protect against the loss of information and information systems and implement measures to recover the information and the systems. We cannot devise and implement effective measures based on theoretical assumptions or guesswork or gut feel. How much is too much? How much is not enough?

Our first step is the Risk Analysis where:

  • We establish the “intrinsic” and “consequential” values.
  • We identify the threats and the risks.
  • We remove the threats and minimize the risks where possible.

Our next step is to devise and implement contingency measures to address scenarios where the preventative measures have failed. With a good Risk Analysis we have removed the theoretical assumptions and have a much better measure of how much to invest in our contingency plans.

CONTINGENCY PLANS and CONTINUITY

Contingency plans can be produced quickly based on theoretical assumptions and expert consultations. While presenting a logical/methodical solution and giving a warm feeling (“WE HAVE A PLAN”), such a plan is only worth the paper it is written on.

A documented plan that is effective is the END RESULT of a process that adopts practical and tested (proven) solutions.

The method of developing and proving a Contingency Plans must be logical and practical. The method must answer the needs, be cost effective and provide the vehicle for success.

As opposed to other systems geared to supporting the business functions, contingency plans are not going to improve the profit margin or improve productivity. It involves added costs and human resources from which direct and tangible benefits might never be realised. It is, however, a key component of the overall strategy for protecting assets and ensuring business continuity and survival.

CONTINGENCY PLANS – Developing and Implementing the Plan

The definition of an effective plan:

A good Contingency Plan is a comprehensive and consistent statement of actions, tasks, dependencies and milestones along with resources required to accomplish a required level of recovery for given functions at given locations within given time frames.

The key words or sentences to be extracted from this definition are: ACTIONS/TASKS, DEPENDENCIES, RESOURCES, LEVEL OF RECOVERY, FUNCTIONS, LOCATIONS and TIME FRAMES. A good plan should address all these key words or sentences. A good plan should be detailed but to the point. It should exclude any lengthy policies and theoretical information. It is primarily an action plan giving very specific instructions.

Operations Risk and Business Continuity – The Eurostar Case

The recent problems experienced by the Eurostar train service that links London to Paris and Brussels is a very precise example of Operational Risk. As a case study the Eurostar events explain all the key issues that Risk Professionals have been speaking about for years. Because it is topical and has affected tens of thousands of people like you and me, at a critical travel period of the year – in the run-up to the Christmas holidays, it is worth taking a closer look at events in relation to their operational risk aspects.

The Eurostar “event” has all the drama and the pulling power that very few other events have in drawing attention to the nature of operational risk and the practices and procedures that should have been in place to mitigate the severity of the event.

For those who may not be familiar with the nature of the event this is what happened. The week before Christmas (2009) five Eurostar trains mysteriously broke down as they traveled through the English Channel Tunnel. Some two thousand passengers were trapped in the cold and the dark, without food or water for up to twelve or more hours. Thousands of other scheduled passengers were stranded at stations in all three countries.

This is precisely what Operational Risk is all about. Using the definition contained in the Basle II capital adequacy rules, operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”.

The failure of five trains in rapid succession clearly points to “inadequate or failed internal processes, people or systems”. As matters unfold, “external events” play into this as well.

What failed and why? Well investigations rapidly revealed that sudden extreme weather conditions in France caused a very fine powdery snow that was able to penetrate the protective filters on the locomotives. Once the trains moved into the warmer air of the English Channel Tunnel, the water from the melted snow, now on the wrong side of the filters, led to the engine failures. This was the external event.

Could these events have been prevented? Possibly, but it is extreme situations like this that usually cannot be predicted because they are so rare. In normal operating conditions we would expect a combination of conditions like this to occur only once in a long, long time – usually to the magnitude of tens or even hundreds of years.

Where the real problem comes about is in the follow-up or lack of it. This part is the “…inadequate or failed internal processes, people or systems” component. In the Eurostar case it was the inability to move those stalled trains and their hapless passengers out of the tunnel quickly that became the real difficulty. This should have happened within no more than one hour after each train had stalled. This “rescue” ability has nothing to do with the cause of the event, but rather with the location. By its nature a tunnel is a weak point. It is a single concentration of train tracks in a very vulnerable position. Any stoppage of any train here, irrespective of the reason is a potentially extreme danger.

It is this issue that is the acid test for back-up, business continuity or the like. Getting the trains and their passenger out of the tunnel should have been a priority irrespective of what caused the problem. This should have been in the form of standby locomotives that are on twenty-four hour call at both ends of the tunnel. The provision of emergency lighting and basic food and water for such situations should not even be in question.

A further problem was the initial inability of Eurostar staff to provide adequate information to either the stranded passengers in the tunnel or at stations for an inordinately long period of time. Aside from other events this issue is awful for customer relations and bad for company reputation.

This highlights two more aspects to being prepared for such events. The one is practice, test-runs, drills, for all staff on a regular basis; the second is communicating with trapped passengers and telling them what is happening and what to expect. That is why airlines make you sit through that awfully boring demonstration before each flight.

Happily, apart from financial loss and ruined vacations, there was no real physical loss or injury. Yet these events provide a very clear example of what operational risk is and the procedures that should have been in place to mitigate the effects of the event once it had occurred. The Eurostar saga also provides a clear example of critical aspect of public relations in events like these